Privacy Statement

1. Provider And Responsible Authority In The Sense Of The Data Protection Act

SEC Consult Unternehmensberatung GmbH
Wagramer Straße 16 / 16. floor
1220 Vienna

Data Protection Officer:


Data Protection Officer Germany:


EVIDEN Germany GmbH
Peter Landsteiner
Weissacherstrasse 11
70499 Stuttgart

Other countries:

Please contact us here:


2. General Information

a. Scope

This privacy statement provides users with information on the nature, extent and purpose of the collection and use of their data by the responsible provider.

b. Gender clause

Insofar as the masculine form is used in the contents of this report, it is assumed that this refers to both genders on equal terms.

c. Data economy

We save personal data according to the principles of data avoidance and data economy only as long as it is required or prescribed by law (statutory storage period). If the purpose of the information collected ceases to be relevant or the storage period expires, the data is blocked or deleted.

d. Your rights

In principle, you have the rights to information, correction, deletion, restriction, data portability, revocation and objection (see European General Data Protection Regulation article 12-23). Exceptions: if the issue relates to the prescribed data storage for business processing or if the data is subject to statutory retention requirements.

For these purposes please contact us here:

In order to allow for a data lock at any time, it is necessary to keep the data in a lock file for checking purposes. If there is no legally required archiving obligation, you can also request the deletion of the data. Otherwise, we will lock the data if you so desire.

e. Changes to our data protection policy

In order to ensure that our data protection policy always complies with the current legal requirements, we reserve the right to make changes at any time. This also applies in the event that the data protection policy has to be adapted due to new or revised activities, for example new services. The new data protection policy takes effect on your next visit.

3. Specific Information

a. Website

Every time information about the services offered by SEC Consult is accessed, company information and current contributions to the subject of information security, information (also referred to as server log files) is automatically collected by us or the webspace provider.

Among other information this includes: website name, file, date, data volume, web browser and web browser version, operating system, the domain name of your Internet provider, the referrer URL (the page from which you accessed our offer) and the IP address.

Without this information, it would not be technically possible to deliver and display the website content. In this respect, collecting data is absolutely necessary. Furthermore, we use this information for statistical purposes. They help us to optimise our services and technology. We also reserve the right to check the log files in case of suspected illegal use of our services.

SEC Consult does not track its customers over time and across third party websites to provide targeted advertising and therefore does not respond to Do Not Track (DNT) signals.

i. Cookies

This website uses cookies. Cookies are text files that are stored on your computer by the server. They contain information about the browser, the IP address, the operating system and the Internet connection. We will not pass on this data to third parties or link it to personal data without your consent.

Cookies have two main purposes. They help us make it easier for you to navigate through our services and they also enable the website to be displayed correctly. They are not used to spread viruses or to open programs.

Users have the option to browse our site without cookies. To do so, the corresponding browser settings must be updated. Use your browser’s Help menu to find out how to deactivate cookies. However, may we point out that some features of this website may be impaired and the use of services may be restricted. The pages (Europa) and (USA) allow you to manage online advertising cookies.

ii. Integrating third-party services and content

Our range includes content, services and services from other suppliers. For example, this might be videos, graphics or images from other websites. In order for this data to be retrieved and displayed in the user’s browser, transmitting the IP address is absolutely necessary. The providers (hereinafter referred to as “third-party providers”) detect the IP address of the respective user.

Even if we try to use only third-party vendors who only need the IP address to deliver content, we have no influence on whether the IP address or other information about you is stored by them. If we know that the IP address is going to be stored, we inform our users of this.

iii. Contact form/Instapage

For event announcements we use the services of Instapage, Inc ( is a platform for the creation of micro-sites and online forms.

If you contact us via one of those online forms or by email, we will save the information you provide, your IP address, the time it was sent and whether you opened the form on a computer or mobile device. This allows us to answer your request and ask possible follow-up questions and, if necessary, improve the form or information provided by us on Instapage. Since the SEC Consult website is constructed from static HTML pages, i.e. no interaction with our server is possible on these pages, we use a website created on Instapage for our contact form. Instapage is a platform for creating micro-sites and online forms.

Newsletter subscriptions are regulated by the form created by us on Details on this service can be found under point 4 of this document.

iv. Google AdWords

This website uses the online advertising program “Google AdWords” and its conversion tracking feature. Google AdWords will place a cookie on your computer, provided you came to our website via an Google ad. These cookies lose their validity after 30 days and are not used for personal identification. If the user visits specific pages on our website and the cookie has not yet expired, we and Google are able to recognise that the user clicked on the ad and was forwarded to this page. Every Google AdWords customer receives a different cookie. Therefore cookies cannot be tracked through the websites of AdWords customers.

The information collected using the conversion cookie is used to create conversion statistics for AdWords customers who have opted for conversion tracking. Customers will see the total number of users who have clicked on their ad and have been redirected to a site with a conversion tracking tag. However, they do not receive any information that allows users to be personally identified.

If you do not want to participate in the tracking process, you can simply disable the Google Conversion tracking cookie using your Internet browser in the user settings section. You will then not be included in the conversion tracking statistics. Find out more about Google’s data protection policy here

v. Matomo

This website uses the web analysis tool Matomo. The data collected in this way is not personal, as the IP address recorded is immediately anonymised. After temporarily saving the shortened IP address for the purpose of analysing user behaviour, it is completely deleted. 

The data collected by Matomo is evaluated to generate reports on user activity and to optimize your user experience. In order to contradict the storage of the cookies, please make the appropriate setting in your browser. Please note that you can only use other areas of this website to a limited extent.

We use Matomo to analyze data from AdWords for statistical purposes. If you do not want this, you can disable it through the Ads Preferences Manager.

b. Events

We offer events to our business partners and potential customers to participate in our events. For example, you may be able to sign up for a meeting on a fair, join a raffle or participate in our Business Breakfast programme. We process your contact information based on our legitimate interest in organising events, e.g. provide enough food and space. We store this information as long as necessary for organising the events. In some rare cases, legal (e.g. tax) obligations may force us to retain them until that obligation lapses. If you wish, we also add you to our contact list and our newsletter, which is a separately described processing activity. We will only pass on your data to third parties if this is necessary to conduct the event, e.g. for booking hotels or delivering ruffle prices.

c. Newsletter

If you sign up for our newsletter, we use the data you enter exclusively for this purpose or to inform you about the circumstances relevant to this service or the registration. We do not pass on this data to third parties.

A valid (working) email address is required to receive the newsletter. The IP address which you use to register for the newsletter and the date on which you order the newsletter will be saved. This data serves as evidence of misuse, if a third-party email address is used to register for the newsletter. In a further step to ensure that bogus email addresses are not added to our mailing list by third parties, we work with the “double-opt-in” process in accordance with the law. As part of this process, the signing up to the newsletter, the sending of the confirmation mail and the receipt of the registration confirmation are all recorded.

You have the right to revoke your consent to the storage of this data, your email address and its use for the sending of the newsletter at any time. We provide a cancellation link in each newsletter and here on our website. You also have the opportunity to inform us of your request to cancel using the contact methods mentioned in this document.

The newsletter is sent via “MailChimp”, a newsletter distribution platform of the US provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA.

The e-mail addresses of our newsletter recipients, as well as their further data described in the context of these notes, are stored on the servers of MailChimp in the USA. MailChimp uses this information to send and evaluate the newsletter on our behalf. Furthermore, MailChimp can use this data according to its own information to optimize or improve its own services, e.g. to technically optimize the sending and presentation of the newsletter or for economic purposes, in order to determine from which countries the recipients come. However, MailChimp does not use the data of our newsletter recipients to write them down or pass them on to third parties.

We trust in the reliability and IT & data security of MailChimp. Furthermore, we have concluded a data processing agreement with MailChimp which also include the applicable standard contractual clauses of the EU Commission. This is a contract in which MailChimp undertakes to protect the data of our users, to process them on our behalf in accordance with their data protection regulations and in particular not to pass them on to third parties. The data protection regulations of MailChimp can be viewed here.

d. Applications

If you apply to a company in the SEC Consult group, that company processes your personal data as a controller. Providing your personal data is necessary for an application to proceed. You are entitled to the data subject rights of EU-GDPR, Chapter 3, as described later in this document.

i. Lawfulness

We process your personal data to take steps prior to an employment at your request (Art. 6 (1) (b) EU-GDPR, possibly in connection with Art. 9 (2) (b) EU-GDPR; In Germany: §26 (1) BDSG). Any additional processing beyond this application process is based on another, separately declared legal basis.

ii. Application process

Our application process is mostly conducted by email. Your application usually encompasses

  • Letter of motivation
  • Curriculum vitae
  • Description of your qualification and education
  • Attestation of your qualification and education

The extent of your application documents is determined by you. We will only collect data necessary to proceed with the application process.

If we invite you to an interview, we collect further personal data encompassing your personal interests and particulars of your professional aspirations and qualification.

iii. Transfer of application data

We share your application data within our organisation with persons involved in the application process: human resources managers, subject matter experts and potential superiors.

SEC Consult may invoke external processors to assess your expert knowledge. We will let you know about this before we transmit your personal data to these processors so that you may check their detailed data protection policies.

iv. Storage and record keeping

If you enter into an employment contract with us, we keep your application data until the conclusion of that contract’s retention periods.

If we do not close an employment contract, we keep your application data for six months (§15 GlBG (AT), §15 II AGG (DE), i.a.). If you want to receive updates on open positions, you may grant us your separate, written consent to do so.

e. Building access

If you want to visit our office locations, we require you to sign our terms of access. This form queries the name of yourself, your organisation and the person you visit as well as the security zone and the time of your visit.

The SEC Consult company you visit controls the processing of this data based on our legitimate interest in a secure office operation, which requires protecting our information and infrastructure. Providing you with the most important security rules in a provable way is an important organisational privacy measure (Art. 32 EU-GDPR) for us. We keep the signed forms for two years. Signing the terms of access is necessary to enter our offices. We do not use automated decision-making w.r.t this processing.

We do not transmit your data to third parties. If we share it among SEC Consult companies outside of the European Economic Area, the safety of your data is ensured this transfer is ensured through standard contractual clauses (Art. 47 EU-GDPR).

f. Lead Management

If you come into contact with us because you are interested in one of our services – e.g. at a trade fair, via a contact form, at an event or in personal contact – we process your contact data, company and role. We use this to advise you about our services and to keep you up-to-date about our portfolio. Our legal basis is our legitimate interest in advertising our offers and – e.g. for the newsletter – your consent. For this purpose we also use service providers, e.g. a CRM and hosting provider.